Some Harbor configuration is configured separately from the Configure the Harbor YML File section. You can change the configuration in the Harbor interface, through HTTP requests, or using an environment variable. This page describes the available configuration items, and how to use the commandline or environment variable to update the configuration.

Example Configuration Commands for the Commandline

Get the current configuration:

  1. curl -u "<username>:<password>" -H "Content-Type: application/json" -ki <Harbor Server URL>/api/v2.0/configurations

Update the current configuration:

  1. curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki <Harbor Server URL>/api/v2.0/configurations -d'{"<item_name>":"<item_value>"}'

Update Harbor to use LDAP authentication:

Command

  1. curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/v2.0/configurations -d'{"auth_mode":"ldap_auth"}'

Output

  1. HTTP/1.1 200 OK
  2. Server: nginx
  3. Date: Wed, 08 May 2019 08:22:02 GMT
  4. Content-Type: text/plain; charset=utf-8
  5. Content-Length: 0
  6. Connection: keep-alive
  7. Set-Cookie: sid=a5803a1265e2b095cf65ce1d8bbd79b1; Path=/; HttpOnly

Restrict project creation to Harbor administrators:

Command

  1. curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/v2.0/configurations -d'{"project_creation_restriction":"adminonly"}'

Output

  1. HTTP/1.1 200 OK
  2. Server: nginx
  3. Date: Wed, 08 May 2019 08:24:32 GMT
  4. Content-Type: text/plain; charset=utf-8
  5. Content-Length: 0
  6. Connection: keep-alive
  7. Set-Cookie: sid=b7925eaf7af53bdefb13bdcae201a14a; Path=/; HttpOnly

Update the token expiration time:

Command

  1. curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/v2.0/configurations -d'{"token_expiration":"300"}'

Output

  1. HTTP/1.1 200 OK
  2. Server: nginx
  3. Date: Wed, 08 May 2019 08:23:38 GMT
  4. Content-Type: text/plain; charset=utf-8
  5. Content-Length: 0
  6. Connection: keep-alive
  7. Set-Cookie: sid=cc1bc93ffa2675253fc62b4bf3d9de0e; Path=/; HttpOnly

Set Configuration Items Using An Environment Variable

Introduced in 2.3.0 is the ability to use an environment variable, CONFIG_OVERWRITE_JSON, in the core container to set the configuration. Once the CONFIG_OVERWRITE_JSON variable is set, you can only update or remove the configuration by updating the CONFIG_OVERWRITE_JSON and restarting the container. You will not be able to update the configuration in the Harbor interface or in the commandline.

Example CONFIG_OVERWRITE_JSON configuration:

  1. CONFIG_OVERWRITE_JSON={"ldap_verify_cert":"false", "auth_mode":"ldap_auth","ldap_base_dn":"dc=example,dc=com", "ldap_search_dn":"cn=admin,dc=example,dc=com","ldap_search_password":"admin","ldap_url":"myldap.example.com", "ldap_scope":2}

See the Harbor Configuration Items table below for more information about available inputs for CONFIG_OVERWRITE_JSON.

If there is a legacy user in your instance of Harbor, the authentication mode can’t be changed by the environment variable CONFIG_OVERWRITE_JSON.

Harbor Configuration Items

Configure item nameDescriptionTypeRequiredDefault Value
auth_modeAuthentication mode, it can be db_auth, ldap_auth, uaa_auth or oidc_authstring
primary_auth_modeSet Identity Provider to be the primary auth methodbooleanoptionalfalse
ldap_urlLDAP URLstringrequired
ldap_base_dnLDAP base DNstringrequired(ldap_auth)
ldap_filterLDAP filterstringoptional
ldap_scopeLDAP search scope, 0-Base Level, 1- One Level, 2-Sub Treenumberoptional2-Sub Tree
ldap_search_dnLDAP DN to search LDAP usersstringrequired(ldap_auth)
ldap_search_passwordLDAP DN’s passwordstringrequired(ldap_auth)
ldap_timeoutLDAP connection timeoutnumberoptional5
ldap_uidLDAP attribute to indicate the username in Harborstringoptionalcn
ldap_verify_certVerify cert when create SSL connection with LDAP server, true or falsebooleanoptionaltrue
ldap_group_admin_dnLDAP Group Admin DNstringoptional
ldap_group_attribute_nameLDAP Group Attribute, the LDAP attribute indicate the groupname in Harbor, it can be gid or cnstringoptionalcn
ldap_group_base_dnThe Base DN which to search the LDAP groupsstringrequired(ldap_auth and LDAP group)
ldap_group_search_filterThe filter to search LDAP groupsstringoptional
ldap_group_search_scopeLDAP group search scope, 0-Base Level, 1- One Level, 2-Sub Treenumberoptional2-Sub Tree
ldap_group_membership_attributeLDAP group membership attribute, to indicate the group membership, it can be memberof, or ismemberofstringoptionalmemberof
project_creation_restrictionThe option to indicate user can be create object, it can be everyone, adminonlystringoptionaleveryone
read_onlyThe option to set repository read only, it can be true or falsebooleanoptionalfalse
self_registrationUser can register account in Harbor, it can be true or falsebooleanoptionaltrue
token_expirationSecurity token expirtation time in minutesnumberoptional30
uaa_client_idUAA client IDstringrequired(uaa_auth)
uaa_client_secretUAA certificatestringrequired(uaa_auth)
uaa_endpointUAA endpointstringrequired(uaa_auth)
uaa_verify_certUAA verify cert, true or falsebooleanoptionaltrue
oidc_nameName for OIDC authenticationstringrequired(oidc_auth)
oidc_endpointEndpoint for OIDC authstringrequired(oidc_auth)
oidc_extra_redirect_parmsExtra parameters to add when redirect request to OIDC providerstringoptional{}
oidc_client_idClient id for OIDC authstringrequired(oidc_auth)
oidc_client_secretClient secret for OIDC authstringrequired(oidc_auth)
oidc_groups_claimThe name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harborstringoptional
oidc_admin_groupThe name of the admin group, if the ID token of the user shows that he is a member of this group, the user will have admin privilege in Harbor. Note: You can only set one Admin Group.stringoptional
oidc_scopeScope for OIDC authstringrequired(oidc_auth)
oidc_verify_certVerify certificate for OIDC auth, true or falsebooleanoptionaltrue
oidc_auto_onboardSkip the onboarding screen, so user cannot change its username. Username is provided from ID Token, true or falsebooleanoptionalfalse
oidc_user_claimThe name of the claim in the ID Token where the username is retrieved fromstringoptionalname
robot_token_durationRobot token expiration time in minutesnumberoptional43200 (30days)
robot_name_prefixPrefixed string for each robot account namestringoptionalrobot$
audit_log_forward_endpointForward audit logs to the syslog endpoint, for example: harbor-log:10514stringoptional
skip_audit_log_databaseSkip to log audit log in the database, only available when audit log forward endpoint is configuredbooleanoptionalfalse
scanner_skip_update_pulltimeVulnerability scanner(e.g. Trivy) will not update the image “last pull time” when the image is scannedbooleanoptional
banner_messageThe banner message for the UI. It is the stringified result of the banner message objectstringoptional

Both booleans and numbers can be enclosed with double quote in the request json, for example: 123, "123", "true" or true is OK.